From c17bb24c085f7dd580cc7c7c581b9f0583d02ac1 Mon Sep 17 00:00:00 2001 From: JoeWang-Java Date: Wed, 17 Apr 2024 23:23:03 +0000 Subject: [PATCH 01/16] 8330542: Add two sample configuration files --- .../share/conf/jaxp-compat.properties | 117 ++++++++++++++++++ .../share/conf/jaxp-strict.properties | 114 +++++++++++++++++ 2 files changed, 231 insertions(+) create mode 100644 src/java.xml/share/conf/jaxp-compat.properties create mode 100644 src/java.xml/share/conf/jaxp-strict.properties diff --git a/src/java.xml/share/conf/jaxp-compat.properties b/src/java.xml/share/conf/jaxp-compat.properties new file mode 100644 index 0000000000000..a2d4e86dd19cd --- /dev/null +++ b/src/java.xml/share/conf/jaxp-compat.properties @@ -0,0 +1,117 @@ +################################################################################ +# JAXP Compatibility Configuration File +# +# ** Warning: unsafe configuration, use with security assessment ** +# +# jaxp-compat.properties is a JAXP configuration file with compatible settings +# prior to a strict configuration such as jaxp-strict.properties. In this +# configuration, properties that have more restrictive settings as in the +# strict configuration (jaxp-strict.properties) are reversed back to their +# defaults. In particular: +# - JDKCatalog Resolve is set to "continue" +# - Extension Functions are enabled +# - JAXP Limits are set to their default values +# +# This configuration file can be used to reverse back to a working environment +# prior to any more restrictive configuration that may have been applied. +# Use the system property java.xml.config.file to override the default configuration: +# +# java -Djava.xml.config.file=$JAVA_HOME/conf/jaxp-compat.properties +################################################################################ + +# +# ---- Implementation Specific Properties ---- +# For a complete list of properties, refer to the Implementation Specific Properties +# table in the java.xml/module-summary. +# +# Extension Functions: +# +# This property determines whether XSLT and XPath extension functions are allowed. +# The value type is boolean and the default value is true (allowing +# extension functions). The following entry would override any change that may +# have been made by the default configuration: +# +jdk.xml.enableExtensionFunctions=true +# +# +# Overriding the default parser: +# +# This property allows using a third party implementation to override the default +# parser provided by the JDK. The value type is boolean and the default value is +# false, disallowing overriding the default parser. The setting below reflects +# the default property setting: +# +jdk.xml.overrideDefaultParser=false +# +# Implementation Specific Properties - jdkcatalog.resolve +# +# This property instructs the JDK default CatalogResolver to act in accordance with +# the setting when unable to resolve an external reference with the built-in Catalog. +# The options are: +# continue -- indicates that the processing should continue +# ignore -- indicates that the reference is skipped +# strict -- indicates that the resolver should throw a CatalogException +# +# The following setting would allow the resolution to continue in cases where +# external references are not resolved by a user-defined resolver or catalog if +# any, and the JDKCatalog: +jdk.xml.jdkcatalog.resolve=continue +# +# Implementation Specific Properties - DTD +# +# This property instructs the parsers to: deny, ignore or allow DTD processing. +# The following setting would cause the parser to reject DTD by throwing an exception. +# jdk.xml.dtd.support=deny +# +# The following setting permits the processor to continue processing DTDs +jdk.xml.dtd.support=allow +# +# Implementation Specific Properties - Limits +# +# Limits have a value type Integer. The values must be positive integers. Zero +# means no limit. +# +# Limits the number of entity expansions +jdk.xml.entityExpansionLimit=64000 +# +# Limits the total size of all entities that include general and parameter entities. +# The size is calculated as an aggregation of all entities. +jdk.xml.totalEntitySizeLimit=10000000 +# +# Limits the maximum size of any general entities. +jdk.xml.maxGeneralEntitySizeLimit=0 +# +# Limits the maximum size of any parameter entities, including the result of +# nesting multiple parameter entities. +jdk.xml.maxParameterEntitySizeLimit=1000000 +# +# Limits the total number of nodes in all entity references. +jdk.xml.entityReplacementLimit=3000000 +# +# Limits the number of attributes an element can have. The default value is 10000. +jdk.xml.elementAttributeLimit=10000 +# +# Limits the number of content model nodes that may be created when building a +# grammar for a W3C XML Schema that contains maxOccurs attributes with values +# other than "unbounded". The default value is 5000. +jdk.xml.maxOccurLimit=5000 +# +# Limits the maximum element depth. The default value is 0. +jdk.xml.maxElementDepth=0 +# +# Limits the maximum size of XML names, including element name, attribute name +# and namespace prefix and URI. The default value is 1000. +jdk.xml.maxXMLNameLimit=1000 +# +# +# XPath Limits +# +# Limits the number of groups an XPath expression can contain. The default value is 10. +jdk.xml.xpathExprGrpLimit=10 +# +# Limits the number of operators an XPath expression can contain. The default value is 100. +jdk.xml.xpathExprOpLimit=100 +# +# Limits the total number of XPath operators in an XSL Stylesheet. The default value is 10000. +jdk.xml.xpathTotalOpLimit=10000 + diff --git a/src/java.xml/share/conf/jaxp-strict.properties b/src/java.xml/share/conf/jaxp-strict.properties new file mode 100644 index 0000000000000..7fe530103c0f7 --- /dev/null +++ b/src/java.xml/share/conf/jaxp-strict.properties @@ -0,0 +1,114 @@ +################################################################################ +# JAXP String Configuration File +# +# jaxp-strict.properties is a JAXP configuration file with more restrictive +# settings than the default jaxp.properties. In particular: +# - JDKCatalog Resolve is on "strict" setting +# - Extension Functions are disabled +# - JAXP Limits are set to smaller numbers +# +# This configuration file can be set up using the system property +# java.xml.config.file to override the default configuration jaxp.properties +# and used to assess the impact of a stricter configuration: +# +# java -Djava.xml.config.file=$JAVA_HOME/conf/jaxp-strict.properties +################################################################################ + +# +# ---- Implementation Specific Properties ---- +# For a complete list of properties, refer to the Implementation Specific Properties +# table in the java.xml/module-summary. +# +# Extension Functions: +# +# This property determines whether XSLT and XPath extension functions are allowed. +# The value type is boolean and the default value is true (allowing +# extension functions). The following entry would override the default value and +# disallow extension functions: +# +jdk.xml.enableExtensionFunctions=false +# +# +# Overriding the default parser: +# +# This property allows using a third party implementation to override the default +# parser provided by the JDK. The value type is boolean and the default value is +# false, disallowing overriding the default parser. The setting below reflects +# the default property setting: +# +jdk.xml.overrideDefaultParser=false +# +# Implementation Specific Properties - jdkcatalog.resolve +# +# This property instructs the JDK default CatalogResolver to act in accordance with +# the setting when unable to resolve an external reference with the built-in Catalog. +# The options are: +# continue -- indicates that the processing should continue +# ignore -- indicates that the reference is skipped +# strict -- indicates that the resolver should throw a CatalogException +# +# The following setting would cause the resolver to throw a CatalogException when +# external references are not resolved by a user-defined resolver or catalog, +# or the JDKCatalog: +jdk.xml.jdkcatalog.resolve=strict +# +# Implementation Specific Properties - DTD +# +# This property instructs the parsers to: deny, ignore or allow DTD processing. +# The following setting would cause the parser to reject DTD by throwing an exception. +# jdk.xml.dtd.support=deny +# +# The following setting permits the processor to continue processing DTDs. Note +# that while DTDs are allowed in this configuration, external references are +# restricted, and limits on DTD entities are tightened: +jdk.xml.dtd.support=allow +# +# Implementation Specific Properties - Limits +# +# Limits have a value type Integer. The values must be positive integers. Zero +# means no limit. +# +# Limits the number of entity expansions +jdk.xml.entityExpansionLimit=2500 +# +# Limits the total size of all entities that include general and parameter entities. +# The size is calculated as an aggregation of all entities. +jdk.xml.totalEntitySizeLimit=100000 +# +# Limits the maximum size of any general entities. +jdk.xml.maxGeneralEntitySizeLimit=100000 +# +# Limits the maximum size of any parameter entities, including the result of +# nesting multiple parameter entities. +jdk.xml.maxParameterEntitySizeLimit=15000 +# +# Limits the total number of nodes in all entity references. +jdk.xml.entityReplacementLimit=100000 +# +# Limits the number of attributes an element can have. The default value is 10000. +jdk.xml.elementAttributeLimit=10000 +# +# Limits the number of content model nodes that may be created when building a +# grammar for a W3C XML Schema that contains maxOccurs attributes with values +# other than "unbounded". The default value is 5000. +jdk.xml.maxOccurLimit=5000 +# +# Limits the maximum element depth. The default value is 0. +jdk.xml.maxElementDepth=0 +# +# Limits the maximum size of XML names, including element name, attribute name +# and namespace prefix and URI. The default value is 1000. +jdk.xml.maxXMLNameLimit=1000 +# +# +# XPath Limits +# +# Limits the number of groups an XPath expression can contain. The default value is 10. +jdk.xml.xpathExprGrpLimit=10 +# +# Limits the number of operators an XPath expression can contain. The default value is 100. +jdk.xml.xpathExprOpLimit=100 +# +# Limits the total number of XPath operators in an XSL Stylesheet. The default value is 10000. +jdk.xml.xpathTotalOpLimit=10000 + From e36e5fd4e67a785f9cd10ae0dc9f1c1474c500ba Mon Sep 17 00:00:00 2001 From: JoeWang-Java Date: Wed, 17 Apr 2024 23:47:05 +0000 Subject: [PATCH 02/16] fix whitespace --- src/java.xml/share/conf/jaxp-compat.properties | 9 ++++----- src/java.xml/share/conf/jaxp-strict.properties | 9 ++++----- 2 files changed, 8 insertions(+), 10 deletions(-) diff --git a/src/java.xml/share/conf/jaxp-compat.properties b/src/java.xml/share/conf/jaxp-compat.properties index a2d4e86dd19cd..e1bd64dc52d1d 100644 --- a/src/java.xml/share/conf/jaxp-compat.properties +++ b/src/java.xml/share/conf/jaxp-compat.properties @@ -13,7 +13,7 @@ # - JAXP Limits are set to their default values # # This configuration file can be used to reverse back to a working environment -# prior to any more restrictive configuration that may have been applied. +# prior to any more restrictive configuration that may have been applied. # Use the system property java.xml.config.file to override the default configuration: # # java -Djava.xml.config.file=$JAVA_HOME/conf/jaxp-compat.properties @@ -22,7 +22,7 @@ # # ---- Implementation Specific Properties ---- # For a complete list of properties, refer to the Implementation Specific Properties -# table in the java.xml/module-summary. +# table in the java.xml/module-summary. # # Extension Functions: # @@ -82,10 +82,10 @@ jdk.xml.totalEntitySizeLimit=10000000 jdk.xml.maxGeneralEntitySizeLimit=0 # # Limits the maximum size of any parameter entities, including the result of -# nesting multiple parameter entities. +# nesting multiple parameter entities. jdk.xml.maxParameterEntitySizeLimit=1000000 # -# Limits the total number of nodes in all entity references. +# Limits the total number of nodes in all entity references. jdk.xml.entityReplacementLimit=3000000 # # Limits the number of attributes an element can have. The default value is 10000. @@ -114,4 +114,3 @@ jdk.xml.xpathExprOpLimit=100 # # Limits the total number of XPath operators in an XSL Stylesheet. The default value is 10000. jdk.xml.xpathTotalOpLimit=10000 - diff --git a/src/java.xml/share/conf/jaxp-strict.properties b/src/java.xml/share/conf/jaxp-strict.properties index 7fe530103c0f7..f36534ec4df09 100644 --- a/src/java.xml/share/conf/jaxp-strict.properties +++ b/src/java.xml/share/conf/jaxp-strict.properties @@ -3,7 +3,7 @@ # # jaxp-strict.properties is a JAXP configuration file with more restrictive # settings than the default jaxp.properties. In particular: -# - JDKCatalog Resolve is on "strict" setting +# - JDKCatalog Resolve is on "strict" setting # - Extension Functions are disabled # - JAXP Limits are set to smaller numbers # @@ -17,7 +17,7 @@ # # ---- Implementation Specific Properties ---- # For a complete list of properties, refer to the Implementation Specific Properties -# table in the java.xml/module-summary. +# table in the java.xml/module-summary. # # Extension Functions: # @@ -79,10 +79,10 @@ jdk.xml.totalEntitySizeLimit=100000 jdk.xml.maxGeneralEntitySizeLimit=100000 # # Limits the maximum size of any parameter entities, including the result of -# nesting multiple parameter entities. +# nesting multiple parameter entities. jdk.xml.maxParameterEntitySizeLimit=15000 # -# Limits the total number of nodes in all entity references. +# Limits the total number of nodes in all entity references. jdk.xml.entityReplacementLimit=100000 # # Limits the number of attributes an element can have. The default value is 10000. @@ -111,4 +111,3 @@ jdk.xml.xpathExprOpLimit=100 # # Limits the total number of XPath operators in an XSL Stylesheet. The default value is 10000. jdk.xml.xpathTotalOpLimit=10000 - From 98fcc3ef587cda861691f02d6b5719efd1a8bbdf Mon Sep 17 00:00:00 2001 From: JoeWang-Java Date: Thu, 18 Apr 2024 21:49:42 +0000 Subject: [PATCH 03/16] add description of the three configuration files. --- .../share/conf/jaxp-compat.properties | 24 ++++++++++++++--- .../share/conf/jaxp-strict.properties | 26 ++++++++++++++++--- 2 files changed, 44 insertions(+), 6 deletions(-) diff --git a/src/java.xml/share/conf/jaxp-compat.properties b/src/java.xml/share/conf/jaxp-compat.properties index e1bd64dc52d1d..6696e15af4bab 100644 --- a/src/java.xml/share/conf/jaxp-compat.properties +++ b/src/java.xml/share/conf/jaxp-compat.properties @@ -3,9 +3,27 @@ # # ** Warning: unsafe configuration, use with security assessment ** # -# jaxp-compat.properties is a JAXP configuration file with compatible settings -# prior to a strict configuration such as jaxp-strict.properties. In this -# configuration, properties that have more restrictive settings as in the +# This is one of the three configuration files provided in the JDK: +# +# jaxp.properties: this is the default configuration that the JDK uses to set +# property values when XML factories are initiated. +# +# jaxp-strict.properties: this file resembles what will become the Secure-By-Default +# configuration where a strict restriction is the default. This file allows +# deployments to test the more secure/strict behavior, identify issues such as +# a processor unknowingly makes outbound network connections to fetch DTD, +# or processes XML that relies on extension functions +# +# jaxp-compat.properties: this file can be used to regain compatibility once the +# JDK has switched to a strict configuration as indicated in jaxp-strict.properties. +# This configuration contains the same properties as those in jaxp-strict.properties +# except it sets them back to the current status of the JDK. Note that, although +# this means getting back to the current configuration, this file is different +# from the default `jaxp.properties` in that it contains exactly the same properties +# as in jaxp-strict.properties while `jaxp.properties` has fewer property settings +# and leaves the majority of the properties to their default values. +# +# In this configuration, properties that have more restrictive settings as in the # strict configuration (jaxp-strict.properties) are reversed back to their # defaults. In particular: # - JDKCatalog Resolve is set to "continue" diff --git a/src/java.xml/share/conf/jaxp-strict.properties b/src/java.xml/share/conf/jaxp-strict.properties index f36534ec4df09..fcd48bff2ea62 100644 --- a/src/java.xml/share/conf/jaxp-strict.properties +++ b/src/java.xml/share/conf/jaxp-strict.properties @@ -1,8 +1,28 @@ ################################################################################ # JAXP String Configuration File # -# jaxp-strict.properties is a JAXP configuration file with more restrictive -# settings than the default jaxp.properties. In particular: +# This is one of the three configuration files provided in the JDK: +# +# jaxp.properties: this is the default configuration that the JDK uses to set +# property values when XML factories are initiated. +# +# jaxp-strict.properties: this file resembles what will become the Secure-By-Default +# configuration where a strict restriction is the default. This file allows +# deployments to test the more secure/strict behavior, identify issues such as +# a processor unknowingly makes outbound network connections to fetch DTD, +# or processes XML that relies on extension functions +# +# jaxp-compat.properties: this file can be used to regain compatibility once the +# JDK has switched to a strict configuration as indicated in jaxp-strict.properties. +# This configuration contains the same properties as those in jaxp-strict.properties +# except it sets them back to the current status of the JDK. Note that, although +# this means getting back to the current configuration, this file is different +# from the default `jaxp.properties` in that it contains exactly the same properties +# as in jaxp-strict.properties while `jaxp.properties` has fewer property settings +# and leaves the majority of the properties to their default values. +# +# This file, jaxp-strict.properties represents more restrictive settings than the +# default jaxp.properties. In particular: # - JDKCatalog Resolve is on "strict" setting # - Extension Functions are disabled # - JAXP Limits are set to smaller numbers @@ -47,7 +67,7 @@ jdk.xml.overrideDefaultParser=false # ignore -- indicates that the reference is skipped # strict -- indicates that the resolver should throw a CatalogException # -# The following setting would cause the resolver to throw a CatalogException when +# The following setting would cause the resolve to throw a CatalogException when # external references are not resolved by a user-defined resolver or catalog, # or the JDKCatalog: jdk.xml.jdkcatalog.resolve=strict From e63860152b7f1b22e44b1321edee2030fb9b0346 Mon Sep 17 00:00:00 2001 From: JoeWang-Java Date: Fri, 19 Apr 2024 17:35:47 +0000 Subject: [PATCH 04/16] fix typo --- src/java.xml/share/conf/jaxp-strict.properties | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/java.xml/share/conf/jaxp-strict.properties b/src/java.xml/share/conf/jaxp-strict.properties index fcd48bff2ea62..cc3077f45ec09 100644 --- a/src/java.xml/share/conf/jaxp-strict.properties +++ b/src/java.xml/share/conf/jaxp-strict.properties @@ -1,5 +1,5 @@ ################################################################################ -# JAXP String Configuration File +# JAXP Strict Configuration File # # This is one of the three configuration files provided in the JDK: # From 019c2aeee4465c61abb5696803b006e14841d5fc Mon Sep 17 00:00:00 2001 From: JoeWang-Java Date: Fri, 19 Apr 2024 21:51:12 +0000 Subject: [PATCH 05/16] changes description of jaxp-compat and jaxp-strict after discussing with Lance --- .../share/conf/jaxp-compat.properties | 27 +++++++++---------- .../share/conf/jaxp-strict.properties | 27 +++++++++---------- 2 files changed, 26 insertions(+), 28 deletions(-) diff --git a/src/java.xml/share/conf/jaxp-compat.properties b/src/java.xml/share/conf/jaxp-compat.properties index 6696e15af4bab..0408c1e672f4c 100644 --- a/src/java.xml/share/conf/jaxp-compat.properties +++ b/src/java.xml/share/conf/jaxp-compat.properties @@ -8,20 +8,19 @@ # jaxp.properties: this is the default configuration that the JDK uses to set # property values when XML factories are initiated. # -# jaxp-strict.properties: this file resembles what will become the Secure-By-Default -# configuration where a strict restriction is the default. This file allows -# deployments to test the more secure/strict behavior, identify issues such as -# a processor unknowingly makes outbound network connections to fetch DTD, -# or processes XML that relies on extension functions -# -# jaxp-compat.properties: this file can be used to regain compatibility once the -# JDK has switched to a strict configuration as indicated in jaxp-strict.properties. -# This configuration contains the same properties as those in jaxp-strict.properties -# except it sets them back to the current status of the JDK. Note that, although -# this means getting back to the current configuration, this file is different -# from the default `jaxp.properties` in that it contains exactly the same properties -# as in jaxp-strict.properties while `jaxp.properties` has fewer property settings -# and leaves the majority of the properties to their default values. +# jaxp-strict.properties: this property file provides settings that will be +# equivalent to what will be the default JAXP settings in a future release to +# make the use of JAXP more secure by default. This file allows deployments to +# test the more secure/strict behavior, identify issues such as a processor +# unknowingly makes outbound network connections to fetch DTD, or processes XML +# that relies on extension functions +# +# jaxp-compat.properties: this configuration specifies the property values that +# are the same as the properties' default values. It can be used to regain +# compatibility from a more strict configuration in a future release. +# The difference from the default `jaxp.properties` is that it contains additional +# properties that were not included in jaxp.properties, setting them to their +# default values. # # In this configuration, properties that have more restrictive settings as in the # strict configuration (jaxp-strict.properties) are reversed back to their diff --git a/src/java.xml/share/conf/jaxp-strict.properties b/src/java.xml/share/conf/jaxp-strict.properties index cc3077f45ec09..634bdaede952a 100644 --- a/src/java.xml/share/conf/jaxp-strict.properties +++ b/src/java.xml/share/conf/jaxp-strict.properties @@ -6,20 +6,19 @@ # jaxp.properties: this is the default configuration that the JDK uses to set # property values when XML factories are initiated. # -# jaxp-strict.properties: this file resembles what will become the Secure-By-Default -# configuration where a strict restriction is the default. This file allows -# deployments to test the more secure/strict behavior, identify issues such as -# a processor unknowingly makes outbound network connections to fetch DTD, -# or processes XML that relies on extension functions -# -# jaxp-compat.properties: this file can be used to regain compatibility once the -# JDK has switched to a strict configuration as indicated in jaxp-strict.properties. -# This configuration contains the same properties as those in jaxp-strict.properties -# except it sets them back to the current status of the JDK. Note that, although -# this means getting back to the current configuration, this file is different -# from the default `jaxp.properties` in that it contains exactly the same properties -# as in jaxp-strict.properties while `jaxp.properties` has fewer property settings -# and leaves the majority of the properties to their default values. +# jaxp-strict.properties: this property file provides settings that will be +# equivalent to what will be the default JAXP settings in a future release to +# make the use of JAXP more secure by default. This file allows deployments to +# test the more secure/strict behavior, identify issues such as a processor +# unknowingly makes outbound network connections to fetch DTD, or processes XML +# that relies on extension functions +# +# jaxp-compat.properties: this configuration specifies the property values that +# are the same as the properties' default values. It can be used to regain +# compatibility from a more strict configuration in a future release. +# The difference from the default `jaxp.properties` is that it contains additional +# properties that were not included in jaxp.properties, setting them to their +# default values. # # This file, jaxp-strict.properties represents more restrictive settings than the # default jaxp.properties. In particular: From 93b66312e7b157e5e6ebb229dab2da2368f2ac75 Mon Sep 17 00:00:00 2001 From: JoeWang-Java Date: Wed, 24 Apr 2024 23:12:53 +0000 Subject: [PATCH 06/16] add warning msg that the config files can change or be removed. --- src/java.xml/share/conf/jaxp-compat.properties | 6 ++++-- src/java.xml/share/conf/jaxp-strict.properties | 5 ++++- 2 files changed, 8 insertions(+), 3 deletions(-) diff --git a/src/java.xml/share/conf/jaxp-compat.properties b/src/java.xml/share/conf/jaxp-compat.properties index 0408c1e672f4c..8a02e40e49ffa 100644 --- a/src/java.xml/share/conf/jaxp-compat.properties +++ b/src/java.xml/share/conf/jaxp-compat.properties @@ -1,7 +1,9 @@ ################################################################################ # JAXP Compatibility Configuration File # -# ** Warning: unsafe configuration, use with security assessment ** +# ** Warning: unsafe configuration, use with security assessment +# ** Note: this file can change over time as the security configuration evolves +# ** along with new development. They may also be phased out and removed. # # This is one of the three configuration files provided in the JDK: # @@ -13,7 +15,7 @@ # make the use of JAXP more secure by default. This file allows deployments to # test the more secure/strict behavior, identify issues such as a processor # unknowingly makes outbound network connections to fetch DTD, or processes XML -# that relies on extension functions +# that relies on extension functions. # # jaxp-compat.properties: this configuration specifies the property values that # are the same as the properties' default values. It can be used to regain diff --git a/src/java.xml/share/conf/jaxp-strict.properties b/src/java.xml/share/conf/jaxp-strict.properties index 634bdaede952a..47dd333f62664 100644 --- a/src/java.xml/share/conf/jaxp-strict.properties +++ b/src/java.xml/share/conf/jaxp-strict.properties @@ -1,6 +1,9 @@ ################################################################################ # JAXP Strict Configuration File # +# ** Note: this file can change over time as the security configuration evolves +# ** along with new development. They may also be phased out and removed. +# # This is one of the three configuration files provided in the JDK: # # jaxp.properties: this is the default configuration that the JDK uses to set @@ -11,7 +14,7 @@ # make the use of JAXP more secure by default. This file allows deployments to # test the more secure/strict behavior, identify issues such as a processor # unknowingly makes outbound network connections to fetch DTD, or processes XML -# that relies on extension functions +# that relies on extension functions. # # jaxp-compat.properties: this configuration specifies the property values that # are the same as the properties' default values. It can be used to regain From af351a4ddf8c607286c78b2dd5198a1cb4fdfb8d Mon Sep 17 00:00:00 2001 From: JoeWang-Java Date: Wed, 1 May 2024 22:30:19 +0000 Subject: [PATCH 07/16] Add implNote to java.xml module summary; Update make file; Update the config files; Add test. --- make/modules/java.xml/Copy.gmk | 16 ++- src/java.xml/share/classes/module-info.java | 41 ++++++- .../share/conf/jaxp-compat.properties | 10 +- .../share/conf/jaxp-strict.properties | 9 +- .../common/config/ConfigFileTest.java | 106 ++++++++++++++++++ .../jaxp/unittest/common/util/TestBase.java | 19 +++- 6 files changed, 185 insertions(+), 16 deletions(-) create mode 100644 test/jaxp/javax/xml/jaxp/unittest/common/config/ConfigFileTest.java diff --git a/make/modules/java.xml/Copy.gmk b/make/modules/java.xml/Copy.gmk index 3b6c66e42c5ed..9d24486a4fe34 100644 --- a/make/modules/java.xml/Copy.gmk +++ b/make/modules/java.xml/Copy.gmk @@ -1,5 +1,5 @@ # -# Copyright (c) 2023, Oracle and/or its affiliates. All rights reserved. +# Copyright (c) 2023, 2024, Oracle and/or its affiliates. All rights reserved. # DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. # # This code is free software; you can redistribute it and/or modify it @@ -24,14 +24,18 @@ # include CopyCommon.gmk +include Modules.gmk ################################################################################ +# +# Copy property files from share/conf to CONF_DST_DIR LIB_DST_DIR +# +JAXPPROPFILE_SRC_DIR := $(TOPDIR)/src/java.xml/share/conf +JAXPPROPFILE_SRCS := $(wildcard $(JAXPPROPFILE_SRC_DIR)/jaxp*.properties*) +JAXPPROPFILE_TARGET_FILES := $(subst $(JAXPPROPFILE_SRC_DIR),$(CONF_DST_DIR),$(JAXPPROPFILE_SRCS)) -XML_LIB_SRC := $(TOPDIR)/src/java.xml/share/conf - -$(CONF_DST_DIR)/jaxp.properties: $(XML_LIB_SRC)/jaxp.properties +$(CONF_DST_DIR)/%: $(JAXPPROPFILE_SRC_DIR)/% $(call install-file) -TARGETS := $(CONF_DST_DIR)/jaxp.properties - +TARGETS += $(JAXPPROPFILE_TARGET_FILES) ################################################################################ diff --git a/src/java.xml/share/classes/module-info.java b/src/java.xml/share/classes/module-info.java index 78ae956151906..febd31cba535f 100644 --- a/src/java.xml/share/classes/module-info.java +++ b/src/java.xml/share/classes/module-info.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 2014, 2023, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2014, 2024, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -402,6 +402,14 @@ * @implNote * *
    + *
  • JAXP Configuration Files + * + *
    • + *
  • JDK built-in Catalog * * + *

    JAXP Configuration Files

    + * The JDK provides three JAXP Configuration Files: + * + *
      + *
    • {@code jaxp.properties}: + * the default configuration that the JDK uses to set property values when XML + * factories are initiated.
      • + * + *
    • {@code jaxp-strict.properties}: a configuration that + * contains more restrictive settings than the default {@code jaxp.properties}. + * In particular: + * + * + * This file allows deployments to test the more secure/strict behavior, + * identify issues such as a processor unknowingly makes outbound network + * connections to fetch DTD, or processes XML that relies on extension functions. + *
      • + * + *
    • {@code jaxp-compat.properties}: a configuration specifying + * the property values that are the same as the properties' default values. It can + * be used to regain compatibility from a more strict configuration in a future release. + * The difference from the default {@code jaxp.properties} is that it contains + * additional properties that were not included in {@code jaxp.properties}, + * setting them to their default values.
      • + *
    + * + * *

    JDK built-in Catalog

    * The JDK has a built-in catalog that hosts the following DTDs defined by the Java Platform: *
      diff --git a/src/java.xml/share/conf/jaxp-compat.properties b/src/java.xml/share/conf/jaxp-compat.properties index 8a02e40e49ffa..62527b2742d8c 100644 --- a/src/java.xml/share/conf/jaxp-compat.properties +++ b/src/java.xml/share/conf/jaxp-compat.properties @@ -1,10 +1,6 @@ ################################################################################ # JAXP Compatibility Configuration File # -# ** Warning: unsafe configuration, use with security assessment -# ** Note: this file can change over time as the security configuration evolves -# ** along with new development. They may also be phased out and removed. -# # This is one of the three configuration files provided in the JDK: # # jaxp.properties: this is the default configuration that the JDK uses to set @@ -36,6 +32,12 @@ # Use the system property java.xml.config.file to override the default configuration: # # java -Djava.xml.config.file=$JAVA_HOME/conf/jaxp-compat.properties +# +# The pathname to the configuration file must be valid. If it is not absolute, +# it will be considered relative to the working directory of the JVM. If there +# is an error reading the configuration file, the configuration process proceeds +# as if the java.xml.config.file property was not set. +# ################################################################################ # diff --git a/src/java.xml/share/conf/jaxp-strict.properties b/src/java.xml/share/conf/jaxp-strict.properties index 47dd333f62664..4559489e85eb9 100644 --- a/src/java.xml/share/conf/jaxp-strict.properties +++ b/src/java.xml/share/conf/jaxp-strict.properties @@ -1,9 +1,6 @@ ################################################################################ # JAXP Strict Configuration File # -# ** Note: this file can change over time as the security configuration evolves -# ** along with new development. They may also be phased out and removed. -# # This is one of the three configuration files provided in the JDK: # # jaxp.properties: this is the default configuration that the JDK uses to set @@ -34,6 +31,12 @@ # and used to assess the impact of a stricter configuration: # # java -Djava.xml.config.file=$JAVA_HOME/conf/jaxp-strict.properties +# +# The pathname to the configuration file must be valid. If it is not absolute, +# it will be considered relative to the working directory of the JVM. If there +# is an error reading the configuration file, the configuration process proceeds +# as if the java.xml.config.file property was not set. +# ################################################################################ # diff --git a/test/jaxp/javax/xml/jaxp/unittest/common/config/ConfigFileTest.java b/test/jaxp/javax/xml/jaxp/unittest/common/config/ConfigFileTest.java new file mode 100644 index 0000000000000..7127166e54f7a --- /dev/null +++ b/test/jaxp/javax/xml/jaxp/unittest/common/config/ConfigFileTest.java @@ -0,0 +1,106 @@ +/* + * Copyright (c) 2024, Oracle and/or its affiliates. All rights reserved. + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. + * + * This code is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License version 2 only, as + * published by the Free Software Foundation. + * + * This code is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * version 2 for more details (a copy is included in the LICENSE file that + * accompanied this code). + * + * You should have received a copy of the GNU General Public License version + * 2 along with this work; if not, write to the Free Software Foundation, + * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. + * + * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA + * or visit www.oracle.com if you need additional information or have any + * questions. + */ +package common.config; + +import common.util.TestBase; +import static common.util.TestBase.CONFIG_COMPAT; +import static common.util.TestBase.CONFIG_STRICT; +import java.util.stream.IntStream; +import javax.xml.transform.TransformerFactory; + +/** + * @test @bug 8330542 + * @library /javax/xml/jaxp/libs /javax/xml/jaxp/unittest + * @modules java.xml/jdk.xml.internal + * @run driver common.config.ConfigFileTest 0 // verifies jaxp-strict.properties + * @run driver common.config.ConfigFileTest 1 // verifies jaxp-compat.properties + * @summary verifies the JAXP configuration files jaxp-strict.properties and + * jaxp-compat.properties. + */ +public class ConfigFileTest { + // system property for custom configuration file + static final String SP_CONFIG = "java.xml.config.file"; + + // properties in the configuration file + String[] keys = { + "jdk.xml.enableExtensionFunctions", + "jdk.xml.overrideDefaultParser", + "jdk.xml.jdkcatalog.resolve", + "jdk.xml.dtd.support", + "jdk.xml.entityExpansionLimit", + "jdk.xml.totalEntitySizeLimit", + "jdk.xml.maxGeneralEntitySizeLimit", + "jdk.xml.maxParameterEntitySizeLimit", + "jdk.xml.entityReplacementLimit", + "jdk.xml.elementAttributeLimit", + "jdk.xml.maxOccurLimit", + "jdk.xml.maxElementDepth", + "jdk.xml.maxXMLNameLimit", + "jdk.xml.xpathExprGrpLimit", + "jdk.xml.xpathExprOpLimit", + "jdk.xml.xpathTotalOpLimit"}; + + // type of properties + boolean[] propertyIsFeature ={true, true, false, false, false, false, + false, false, false, false, false, false, false, false, false, false}; + + // values from jaxp-strict.properties + String[] strictValues ={"false", "false", "strict", "allow", "2500", "100000", + "100000", "15000", "100000", "10000", "5000", "0", "1000", "10", "100", "10000"}; + + // values from jaxp-compat.properties + String[] compatValues ={"true", "false", "continue", "allow", "64000", "10000000", + "0", "1000000", "3000000", "10000", "5000", "0", "1000", "10", "100", "10000"}; + + public static void main(String args[]) throws Exception { + new ConfigFileTest().run(args[0]); + } + + public void run(String index) throws Exception { + if (index.equals("0")) { + verifyConfig(CONFIG_STRICT, strictValues); + } else { + verifyConfig(CONFIG_COMPAT, compatValues); + } + } + + /** + * Verifies a configuration file by iterating through its property settings. + * @param filename the configuration file + * @param values expected values in the configuration file + */ + private void verifyConfig(String filename, String[] values) { + String javaHome = System.getProperty("java.home"); + System.setProperty(SP_CONFIG, javaHome + "/conf/" + filename); + + TransformerFactory tf = TransformerFactory.newInstance(); + IntStream.range(0, keys.length).forEach(i -> { + if (propertyIsFeature[i]) { + TestBase.Assert.assertEquals(tf.getFeature(keys[i]), Boolean.parseBoolean(values[i])); + } else { + TestBase.Assert.assertEquals(tf.getAttribute(keys[i]), values[i]); + } + }); + System.clearProperty(SP_CONFIG); + } +} diff --git a/test/jaxp/javax/xml/jaxp/unittest/common/util/TestBase.java b/test/jaxp/javax/xml/jaxp/unittest/common/util/TestBase.java index 6be967d8dd5a2..5466654912efb 100644 --- a/test/jaxp/javax/xml/jaxp/unittest/common/util/TestBase.java +++ b/test/jaxp/javax/xml/jaxp/unittest/common/util/TestBase.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 2023, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2023, 2024, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -28,6 +28,7 @@ import java.io.InputStream; import java.io.StringReader; import java.io.StringWriter; +import java.util.Objects; import java.util.regex.Pattern; import javax.xml.XMLConstants; import javax.xml.catalog.CatalogFeatures; @@ -121,6 +122,10 @@ public class TestBase { // CATALOG=strict public static final String CONFIG_CATALOG_STRICT = "catalog2.properties"; + // JAXP Configuration Files to be added to $JAVA_HOME/conf/ + public static final String CONFIG_STRICT = "jaxp-strict.properties"; + public static final String CONFIG_COMPAT = "jaxp-compat.properties"; + public static final String UNKNOWN_HOST = "invalid.site.com"; String xmlExternalEntity, xmlExternalEntityId; @@ -133,6 +138,10 @@ public static enum Properties { // config file: CATALOG = strict CONFIG_FILE_CATALOG_STRICT(null, CONFIG_FILE, Type.FEATURE, getPath(CONFIG_FILE_PATH, CONFIG_CATALOG_STRICT)), CONFIG_FILE_DTD2(null, CONFIG_FILE, Type.FEATURE, getPath(CONFIG_FILE_PATH, JCF_DTD2)), + // JAXP Configuration Files to be added to $JAVA_HOME/conf/ + CONFIG_FILE_STRICT(null, CONFIG_FILE, Type.FEATURE, getPath(CONFIG_FILE_PATH, CONFIG_STRICT)), + CONFIG_FILE_COMPAT(null, CONFIG_FILE, Type.FEATURE, getPath(CONFIG_FILE_PATH, CONFIG_COMPAT)), + FSP(XMLConstants.FEATURE_SECURE_PROCESSING, null, Type.FEATURE, "true"), FSP_FALSE(XMLConstants.FEATURE_SECURE_PROCESSING, null, Type.FEATURE, "false"), @@ -715,7 +724,7 @@ static String getPath(String base, String file) { return temp; } - static class Assert { + public static class Assert { public static void assertTrue(boolean condition) { assertTrue(condition, null); } @@ -733,5 +742,11 @@ public static void assertTrue(boolean condition, String message) { public static void fail(String message) { throw new RuntimeException("Test failed. " + message); } + + public static void assertEquals(Object actual, Object expected) { + if (!Objects.equals(actual, expected)) { + throw new RuntimeException("Expected: " + expected + " but actual result was " + actual); + } + } } } From f3af4ae9633eb6f13640b3b004f42821a910fb17 Mon Sep 17 00:00:00 2001 From: JoeWang-Java Date: Thu, 16 May 2024 18:50:27 +0000 Subject: [PATCH 08/16] The JDK provides two configuration files instead of three. Updated jaxp-strict.properties to reflect the change. Removed jaxp-compat. Updated jaxp.properties with properties the same as in jaxp-strict, setting to default values. --- src/java.xml/share/classes/module-info.java | 9 +- .../share/conf/jaxp-compat.properties | 137 ------------------ .../share/conf/jaxp-strict.properties | 23 +-- src/java.xml/share/conf/jaxp.properties | 29 ++-- .../common/config/ConfigFileTest.java | 18 +-- .../jaxp/unittest/common/util/TestBase.java | 1 + 6 files changed, 34 insertions(+), 183 deletions(-) delete mode 100644 src/java.xml/share/conf/jaxp-compat.properties diff --git a/src/java.xml/share/classes/module-info.java b/src/java.xml/share/classes/module-info.java index febd31cba535f..0fab272f303dd 100644 --- a/src/java.xml/share/classes/module-info.java +++ b/src/java.xml/share/classes/module-info.java @@ -425,7 +425,7 @@ *
    * *

    JAXP Configuration Files

    - * The JDK provides three JAXP Configuration Files: + * The JDK provides two JAXP Configuration Files: * *
      *
    • {@code jaxp.properties}: @@ -445,13 +445,6 @@ * identify issues such as a processor unknowingly makes outbound network * connections to fetch DTD, or processes XML that relies on extension functions. *
      • - * - *
    • {@code jaxp-compat.properties}: a configuration specifying - * the property values that are the same as the properties' default values. It can - * be used to regain compatibility from a more strict configuration in a future release. - * The difference from the default {@code jaxp.properties} is that it contains - * additional properties that were not included in {@code jaxp.properties}, - * setting them to their default values.
      • *
    * * diff --git a/src/java.xml/share/conf/jaxp-compat.properties b/src/java.xml/share/conf/jaxp-compat.properties deleted file mode 100644 index 62527b2742d8c..0000000000000 --- a/src/java.xml/share/conf/jaxp-compat.properties +++ /dev/null @@ -1,137 +0,0 @@ -################################################################################ -# JAXP Compatibility Configuration File -# -# This is one of the three configuration files provided in the JDK: -# -# jaxp.properties: this is the default configuration that the JDK uses to set -# property values when XML factories are initiated. -# -# jaxp-strict.properties: this property file provides settings that will be -# equivalent to what will be the default JAXP settings in a future release to -# make the use of JAXP more secure by default. This file allows deployments to -# test the more secure/strict behavior, identify issues such as a processor -# unknowingly makes outbound network connections to fetch DTD, or processes XML -# that relies on extension functions. -# -# jaxp-compat.properties: this configuration specifies the property values that -# are the same as the properties' default values. It can be used to regain -# compatibility from a more strict configuration in a future release. -# The difference from the default `jaxp.properties` is that it contains additional -# properties that were not included in jaxp.properties, setting them to their -# default values. -# -# In this configuration, properties that have more restrictive settings as in the -# strict configuration (jaxp-strict.properties) are reversed back to their -# defaults. In particular: -# - JDKCatalog Resolve is set to "continue" -# - Extension Functions are enabled -# - JAXP Limits are set to their default values -# -# This configuration file can be used to reverse back to a working environment -# prior to any more restrictive configuration that may have been applied. -# Use the system property java.xml.config.file to override the default configuration: -# -# java -Djava.xml.config.file=$JAVA_HOME/conf/jaxp-compat.properties -# -# The pathname to the configuration file must be valid. If it is not absolute, -# it will be considered relative to the working directory of the JVM. If there -# is an error reading the configuration file, the configuration process proceeds -# as if the java.xml.config.file property was not set. -# -################################################################################ - -# -# ---- Implementation Specific Properties ---- -# For a complete list of properties, refer to the Implementation Specific Properties -# table in the java.xml/module-summary. -# -# Extension Functions: -# -# This property determines whether XSLT and XPath extension functions are allowed. -# The value type is boolean and the default value is true (allowing -# extension functions). The following entry would override any change that may -# have been made by the default configuration: -# -jdk.xml.enableExtensionFunctions=true -# -# -# Overriding the default parser: -# -# This property allows using a third party implementation to override the default -# parser provided by the JDK. The value type is boolean and the default value is -# false, disallowing overriding the default parser. The setting below reflects -# the default property setting: -# -jdk.xml.overrideDefaultParser=false -# -# Implementation Specific Properties - jdkcatalog.resolve -# -# This property instructs the JDK default CatalogResolver to act in accordance with -# the setting when unable to resolve an external reference with the built-in Catalog. -# The options are: -# continue -- indicates that the processing should continue -# ignore -- indicates that the reference is skipped -# strict -- indicates that the resolver should throw a CatalogException -# -# The following setting would allow the resolution to continue in cases where -# external references are not resolved by a user-defined resolver or catalog if -# any, and the JDKCatalog: -jdk.xml.jdkcatalog.resolve=continue -# -# Implementation Specific Properties - DTD -# -# This property instructs the parsers to: deny, ignore or allow DTD processing. -# The following setting would cause the parser to reject DTD by throwing an exception. -# jdk.xml.dtd.support=deny -# -# The following setting permits the processor to continue processing DTDs -jdk.xml.dtd.support=allow -# -# Implementation Specific Properties - Limits -# -# Limits have a value type Integer. The values must be positive integers. Zero -# means no limit. -# -# Limits the number of entity expansions -jdk.xml.entityExpansionLimit=64000 -# -# Limits the total size of all entities that include general and parameter entities. -# The size is calculated as an aggregation of all entities. -jdk.xml.totalEntitySizeLimit=10000000 -# -# Limits the maximum size of any general entities. -jdk.xml.maxGeneralEntitySizeLimit=0 -# -# Limits the maximum size of any parameter entities, including the result of -# nesting multiple parameter entities. -jdk.xml.maxParameterEntitySizeLimit=1000000 -# -# Limits the total number of nodes in all entity references. -jdk.xml.entityReplacementLimit=3000000 -# -# Limits the number of attributes an element can have. The default value is 10000. -jdk.xml.elementAttributeLimit=10000 -# -# Limits the number of content model nodes that may be created when building a -# grammar for a W3C XML Schema that contains maxOccurs attributes with values -# other than "unbounded". The default value is 5000. -jdk.xml.maxOccurLimit=5000 -# -# Limits the maximum element depth. The default value is 0. -jdk.xml.maxElementDepth=0 -# -# Limits the maximum size of XML names, including element name, attribute name -# and namespace prefix and URI. The default value is 1000. -jdk.xml.maxXMLNameLimit=1000 -# -# -# XPath Limits -# -# Limits the number of groups an XPath expression can contain. The default value is 10. -jdk.xml.xpathExprGrpLimit=10 -# -# Limits the number of operators an XPath expression can contain. The default value is 100. -jdk.xml.xpathExprOpLimit=100 -# -# Limits the total number of XPath operators in an XSL Stylesheet. The default value is 10000. -jdk.xml.xpathTotalOpLimit=10000 diff --git a/src/java.xml/share/conf/jaxp-strict.properties b/src/java.xml/share/conf/jaxp-strict.properties index 4559489e85eb9..9508589563d19 100644 --- a/src/java.xml/share/conf/jaxp-strict.properties +++ b/src/java.xml/share/conf/jaxp-strict.properties @@ -1,37 +1,28 @@ ################################################################################ # JAXP Strict Configuration File # -# This is one of the three configuration files provided in the JDK: -# -# jaxp.properties: this is the default configuration that the JDK uses to set -# property values when XML factories are initiated. -# -# jaxp-strict.properties: this property file provides settings that will be +# This property file, jaxp-strict.properties, provides settings that will be # equivalent to what will be the default JAXP settings in a future release to # make the use of JAXP more secure by default. This file allows deployments to # test the more secure/strict behavior, identify issues such as a processor # unknowingly makes outbound network connections to fetch DTD, or processes XML # that relies on extension functions. # -# jaxp-compat.properties: this configuration specifies the property values that -# are the same as the properties' default values. It can be used to regain -# compatibility from a more strict configuration in a future release. -# The difference from the default `jaxp.properties` is that it contains additional -# properties that were not included in jaxp.properties, setting them to their -# default values. -# -# This file, jaxp-strict.properties represents more restrictive settings than the -# default jaxp.properties. In particular: +# It represents more restrictive settings than the current default jaxp.properties. +# In particular: # - JDKCatalog Resolve is on "strict" setting # - Extension Functions are disabled # - JAXP Limits are set to smaller numbers # # This configuration file can be set up using the system property # java.xml.config.file to override the default configuration jaxp.properties -# and used to assess the impact of a stricter configuration: +# and used to assess the impact of a stricter configuration, for example: # # java -Djava.xml.config.file=$JAVA_HOME/conf/jaxp-strict.properties # +# It is recommended that you make a copy of this file and create your own +# configuration file for the experiment. +# # The pathname to the configuration file must be valid. If it is not absolute, # it will be considered relative to the working directory of the JVM. If there # is an error reading the configuration file, the configuration process proceeds diff --git a/src/java.xml/share/conf/jaxp.properties b/src/java.xml/share/conf/jaxp.properties index 53074816cb977..bcc1d9c09d0bc 100644 --- a/src/java.xml/share/conf/jaxp.properties +++ b/src/java.xml/share/conf/jaxp.properties @@ -61,7 +61,7 @@ # extension functions). The following entry would override the default value and # disallow extension functions: # -# jdk.xml.enableExtensionFunctions=false +jdk.xml.enableExtensionFunctions=true # # # Overriding the default parser: @@ -137,9 +137,10 @@ jdk.xml.overrideDefaultParser=false # ignore -- indicates that the reference is skipped # strict -- indicates that the resolver should throw a CatalogException # -# The following setting would cause the resolve to throw a CatalogException when -# unable to resolve an external reference: -# jdk.xml.jdkcatalog.resolve=strict +# The following setting would allow the resolution to continue in cases where +# external references are not resolved by a user-defined resolver or catalog if +# any, and the JDKCatalog: +jdk.xml.jdkcatalog.resolve=continue # # Implementation Specific Properties - DTD # @@ -147,38 +148,41 @@ jdk.xml.overrideDefaultParser=false # The following setting would cause the parser to reject DTD by throwing an exception. # jdk.xml.dtd.support=deny # +# The following setting permits the processor to continue processing DTDs +jdk.xml.dtd.support=allow +# # Implementation Specific Properties - Limits # # Limits have a value type Integer. The values must be positive integers. Zero # means no limit. # # Limits the number of entity expansions. The default value is 64000 -# jdk.xml.entityExpansionLimit=64000 +jdk.xml.entityExpansionLimit=64000 # # Limits the total size of all entities that include general and parameter entities. # The size is calculated as an aggregation of all entities. The default value is 5x10^7. -# jdk.xml.totalEntitySizeLimit=5E7 +jdk.xml.totalEntitySizeLimit=10000000 # # Limits the maximum size of any general entities. The default value is 0. -# jdk.xml.maxGeneralEntitySizeLimit=0 +jdk.xml.maxGeneralEntitySizeLimit=0 # # Limits the maximum size of any parameter entities, including the result of # nesting multiple parameter entities. The default value is 10^6. -# jdk.xml.maxParameterEntitySizeLimit=1E6 +jdk.xml.maxParameterEntitySizeLimit=1000000 # # Limits the total number of nodes in all entity references. The default value is 3x10^6. -# jdk.xml.entityReplacementLimit=3E6 +jdk.xml.entityReplacementLimit=3000000 # # Limits the number of attributes an element can have. The default value is 10000. -# jdk.xml.elementAttributeLimit=10000 +jdk.xml.elementAttributeLimit=10000 # # Limits the number of content model nodes that may be created when building a # grammar for a W3C XML Schema that contains maxOccurs attributes with values # other than "unbounded". The default value is 5000. -# jdk.xml.maxOccurLimit=5000 +jdk.xml.maxOccurLimit=5000 # # Limits the maximum element depth. The default value is 0. -# jdk.xml.maxElementDepth=0 +jdk.xml.maxElementDepth=0 # # Limits the maximum size of XML names, including element name, attribute name # and namespace prefix and URI. The default value is 1000. @@ -195,4 +199,3 @@ jdk.xml.xpathExprOpLimit=100 # # Limits the total number of XPath operators in an XSL Stylesheet. The default value is 10000. jdk.xml.xpathTotalOpLimit=10000 - diff --git a/test/jaxp/javax/xml/jaxp/unittest/common/config/ConfigFileTest.java b/test/jaxp/javax/xml/jaxp/unittest/common/config/ConfigFileTest.java index 7127166e54f7a..2447669906bc1 100644 --- a/test/jaxp/javax/xml/jaxp/unittest/common/config/ConfigFileTest.java +++ b/test/jaxp/javax/xml/jaxp/unittest/common/config/ConfigFileTest.java @@ -23,7 +23,7 @@ package common.config; import common.util.TestBase; -import static common.util.TestBase.CONFIG_COMPAT; +import static common.util.TestBase.CONFIG_DEFAULT; import static common.util.TestBase.CONFIG_STRICT; import java.util.stream.IntStream; import javax.xml.transform.TransformerFactory; @@ -32,10 +32,10 @@ * @test @bug 8330542 * @library /javax/xml/jaxp/libs /javax/xml/jaxp/unittest * @modules java.xml/jdk.xml.internal - * @run driver common.config.ConfigFileTest 0 // verifies jaxp-strict.properties - * @run driver common.config.ConfigFileTest 1 // verifies jaxp-compat.properties - * @summary verifies the JAXP configuration files jaxp-strict.properties and - * jaxp-compat.properties. + * @run driver common.config.ConfigFileTest 0 // verifies jaxp.properties + * @run driver common.config.ConfigFileTest 1 // verifies jaxp-strict.properties + * @summary verifies the JAXP configuration files jaxp.properties and + * jaxp-strict.properties. */ public class ConfigFileTest { // system property for custom configuration file @@ -68,8 +68,8 @@ public class ConfigFileTest { String[] strictValues ={"false", "false", "strict", "allow", "2500", "100000", "100000", "15000", "100000", "10000", "5000", "0", "1000", "10", "100", "10000"}; - // values from jaxp-compat.properties - String[] compatValues ={"true", "false", "continue", "allow", "64000", "10000000", + // values from jaxp.properties, as of JDK 23 + String[] defaultValues ={"true", "false", "continue", "allow", "64000", "10000000", "0", "1000000", "3000000", "10000", "5000", "0", "1000", "10", "100", "10000"}; public static void main(String args[]) throws Exception { @@ -78,9 +78,9 @@ public static void main(String args[]) throws Exception { public void run(String index) throws Exception { if (index.equals("0")) { - verifyConfig(CONFIG_STRICT, strictValues); + verifyConfig(CONFIG_DEFAULT, defaultValues); } else { - verifyConfig(CONFIG_COMPAT, compatValues); + verifyConfig(CONFIG_STRICT, strictValues); } } diff --git a/test/jaxp/javax/xml/jaxp/unittest/common/util/TestBase.java b/test/jaxp/javax/xml/jaxp/unittest/common/util/TestBase.java index 5466654912efb..6be013d73181c 100644 --- a/test/jaxp/javax/xml/jaxp/unittest/common/util/TestBase.java +++ b/test/jaxp/javax/xml/jaxp/unittest/common/util/TestBase.java @@ -123,6 +123,7 @@ public class TestBase { public static final String CONFIG_CATALOG_STRICT = "catalog2.properties"; // JAXP Configuration Files to be added to $JAVA_HOME/conf/ + public static final String CONFIG_DEFAULT = "jaxp.properties"; public static final String CONFIG_STRICT = "jaxp-strict.properties"; public static final String CONFIG_COMPAT = "jaxp-compat.properties"; From cf4df792f22233dad941049d50bdf52aff82805f Mon Sep 17 00:00:00 2001 From: JoeWang-Java Date: Thu, 16 May 2024 22:16:52 +0000 Subject: [PATCH 09/16] remove jaxp-compat.properties from the list --- src/java.xml/share/classes/module-info.java | 1 - 1 file changed, 1 deletion(-) diff --git a/src/java.xml/share/classes/module-info.java b/src/java.xml/share/classes/module-info.java index 0fab272f303dd..7d233674933fe 100644 --- a/src/java.xml/share/classes/module-info.java +++ b/src/java.xml/share/classes/module-info.java @@ -406,7 +406,6 @@ * *
    • From 2ee2c7ca54ccc79c3401aa407fe416ad15699d49 Mon Sep 17 00:00:00 2001 From: JoeWang-Java Date: Fri, 17 May 2024 21:50:46 +0000 Subject: [PATCH 10/16] modernize make copy; update module summary and jaxp-strict. --- make/modules/java.xml/Copy.gmk | 14 ++++++-------- src/java.xml/share/classes/module-info.java | 6 +++--- src/java.xml/share/conf/jaxp-strict.properties | 15 +++------------ 3 files changed, 12 insertions(+), 23 deletions(-) diff --git a/make/modules/java.xml/Copy.gmk b/make/modules/java.xml/Copy.gmk index 9d24486a4fe34..d2b768182ad75 100644 --- a/make/modules/java.xml/Copy.gmk +++ b/make/modules/java.xml/Copy.gmk @@ -28,14 +28,12 @@ include Modules.gmk ################################################################################ # -# Copy property files from share/conf to CONF_DST_DIR LIB_DST_DIR +# Copy property files from share/conf to CONF_DST_DIR # -JAXPPROPFILE_SRC_DIR := $(TOPDIR)/src/java.xml/share/conf -JAXPPROPFILE_SRCS := $(wildcard $(JAXPPROPFILE_SRC_DIR)/jaxp*.properties*) -JAXPPROPFILE_TARGET_FILES := $(subst $(JAXPPROPFILE_SRC_DIR),$(CONF_DST_DIR),$(JAXPPROPFILE_SRCS)) +$(eval $(call SetupCopyFiles, COPY_XML_MODULE_CONF, \ + DEST := $(CONF_DST_DIR), \ + FILES := $(wildcard $(TOPDIR)/src/java.xml/share/conf/jaxp*.properties*), \ +)) -$(CONF_DST_DIR)/%: $(JAXPPROPFILE_SRC_DIR)/% - $(call install-file) - -TARGETS += $(JAXPPROPFILE_TARGET_FILES) +TARGETS += $(COPY_XML_MODULE_CONF) ################################################################################ diff --git a/src/java.xml/share/classes/module-info.java b/src/java.xml/share/classes/module-info.java index 7d233674933fe..6b59b62062b54 100644 --- a/src/java.xml/share/classes/module-info.java +++ b/src/java.xml/share/classes/module-info.java @@ -440,9 +440,9 @@ *
  • JAXP Limits are set to smaller numbers
    • *
* - * This file allows deployments to test the more secure/strict behavior, - * identify issues such as a processor unknowingly makes outbound network - * connections to fetch DTD, or processes XML that relies on extension functions. + * Deploying with this configuration prevents processors from unknowingly making + * outbound network connections to fetch DTDs, or process XML that makes use of + * extension functions. * * * diff --git a/src/java.xml/share/conf/jaxp-strict.properties b/src/java.xml/share/conf/jaxp-strict.properties index 9508589563d19..b2941bf59c70d 100644 --- a/src/java.xml/share/conf/jaxp-strict.properties +++ b/src/java.xml/share/conf/jaxp-strict.properties @@ -1,15 +1,9 @@ ################################################################################ # JAXP Strict Configuration File # -# This property file, jaxp-strict.properties, provides settings that will be -# equivalent to what will be the default JAXP settings in a future release to -# make the use of JAXP more secure by default. This file allows deployments to -# test the more secure/strict behavior, identify issues such as a processor -# unknowingly makes outbound network connections to fetch DTD, or processes XML -# that relies on extension functions. -# -# It represents more restrictive settings than the current default jaxp.properties. -# In particular: +# This property file, jaxp-strict.properties, represents a more secure configuration +# for XML processing. It provides settings that are more restrictive than the +# current default jaxp.properties. In particular: # - JDKCatalog Resolve is on "strict" setting # - Extension Functions are disabled # - JAXP Limits are set to smaller numbers @@ -20,9 +14,6 @@ # # java -Djava.xml.config.file=$JAVA_HOME/conf/jaxp-strict.properties # -# It is recommended that you make a copy of this file and create your own -# configuration file for the experiment. -# # The pathname to the configuration file must be valid. If it is not absolute, # it will be considered relative to the working directory of the JVM. If there # is an error reading the configuration file, the configuration process proceeds From dfc965c6e018bb54f0d45bdd1f87f164b7605439 Mon Sep 17 00:00:00 2001 From: JoeWang-Java Date: Sun, 19 May 2024 04:56:38 +0000 Subject: [PATCH 11/16] withdraw changes to jaxp.properties. The configuration process has not changed, changing the default configuration would result in many failures that test the process. --- src/java.xml/share/conf/jaxp.properties | 18 +++++++++--------- .../unittest/common/config/ConfigFileTest.java | 2 +- 2 files changed, 10 insertions(+), 10 deletions(-) diff --git a/src/java.xml/share/conf/jaxp.properties b/src/java.xml/share/conf/jaxp.properties index bcc1d9c09d0bc..1baead2e6830a 100644 --- a/src/java.xml/share/conf/jaxp.properties +++ b/src/java.xml/share/conf/jaxp.properties @@ -61,7 +61,7 @@ # extension functions). The following entry would override the default value and # disallow extension functions: # -jdk.xml.enableExtensionFunctions=true +# jdk.xml.enableExtensionFunctions=false # # # Overriding the default parser: @@ -157,32 +157,32 @@ jdk.xml.dtd.support=allow # means no limit. # # Limits the number of entity expansions. The default value is 64000 -jdk.xml.entityExpansionLimit=64000 +# jdk.xml.entityExpansionLimit=64000 # # Limits the total size of all entities that include general and parameter entities. # The size is calculated as an aggregation of all entities. The default value is 5x10^7. -jdk.xml.totalEntitySizeLimit=10000000 +# jdk.xml.totalEntitySizeLimit=50000000 # # Limits the maximum size of any general entities. The default value is 0. -jdk.xml.maxGeneralEntitySizeLimit=0 +# jdk.xml.maxGeneralEntitySizeLimit=0 # # Limits the maximum size of any parameter entities, including the result of # nesting multiple parameter entities. The default value is 10^6. -jdk.xml.maxParameterEntitySizeLimit=1000000 +# jdk.xml.maxParameterEntitySizeLimit=1000000 # # Limits the total number of nodes in all entity references. The default value is 3x10^6. -jdk.xml.entityReplacementLimit=3000000 +# jdk.xml.entityReplacementLimit=3000000 # # Limits the number of attributes an element can have. The default value is 10000. -jdk.xml.elementAttributeLimit=10000 +# jdk.xml.elementAttributeLimit=10000 # # Limits the number of content model nodes that may be created when building a # grammar for a W3C XML Schema that contains maxOccurs attributes with values # other than "unbounded". The default value is 5000. -jdk.xml.maxOccurLimit=5000 +# jdk.xml.maxOccurLimit=5000 # # Limits the maximum element depth. The default value is 0. -jdk.xml.maxElementDepth=0 +# jdk.xml.maxElementDepth=0 # # Limits the maximum size of XML names, including element name, attribute name # and namespace prefix and URI. The default value is 1000. diff --git a/test/jaxp/javax/xml/jaxp/unittest/common/config/ConfigFileTest.java b/test/jaxp/javax/xml/jaxp/unittest/common/config/ConfigFileTest.java index 2447669906bc1..f17fd78257903 100644 --- a/test/jaxp/javax/xml/jaxp/unittest/common/config/ConfigFileTest.java +++ b/test/jaxp/javax/xml/jaxp/unittest/common/config/ConfigFileTest.java @@ -69,7 +69,7 @@ public class ConfigFileTest { "100000", "15000", "100000", "10000", "5000", "0", "1000", "10", "100", "10000"}; // values from jaxp.properties, as of JDK 23 - String[] defaultValues ={"true", "false", "continue", "allow", "64000", "10000000", + String[] defaultValues ={"true", "false", "continue", "allow", "64000", "50000000", "0", "1000000", "3000000", "10000", "5000", "0", "1000", "10", "100", "10000"}; public static void main(String args[]) throws Exception { From 55a86db31c0cda78eb119b6680787e437345ca61 Mon Sep 17 00:00:00 2001 From: JoeWang-Java Date: Mon, 20 May 2024 16:25:11 +0000 Subject: [PATCH 12/16] updated jaxp-strict; fixed typo in module-info. --- src/java.xml/share/classes/module-info.java | 2 +- src/java.xml/share/conf/jaxp-strict.properties | 6 ++---- 2 files changed, 3 insertions(+), 5 deletions(-) diff --git a/src/java.xml/share/classes/module-info.java b/src/java.xml/share/classes/module-info.java index 6b59b62062b54..3d4ef0bbb3bd7 100644 --- a/src/java.xml/share/classes/module-info.java +++ b/src/java.xml/share/classes/module-info.java @@ -441,7 +441,7 @@ * * * Deploying with this configuration prevents processors from unknowingly making - * outbound network connections to fetch DTDs, or process XML that makes use of + * outbound network connections to fetch DTDs, or processing XML that makes use of * extension functions. * * diff --git a/src/java.xml/share/conf/jaxp-strict.properties b/src/java.xml/share/conf/jaxp-strict.properties index b2941bf59c70d..cdc808cd3e289 100644 --- a/src/java.xml/share/conf/jaxp-strict.properties +++ b/src/java.xml/share/conf/jaxp-strict.properties @@ -14,10 +14,8 @@ # # java -Djava.xml.config.file=$JAVA_HOME/conf/jaxp-strict.properties # -# The pathname to the configuration file must be valid. If it is not absolute, -# it will be considered relative to the working directory of the JVM. If there -# is an error reading the configuration file, the configuration process proceeds -# as if the java.xml.config.file property was not set. +# The system property java.xml.config.file is defined in the java.xml module +# description. # ################################################################################ From dd7f6239fc6076032240b7c55683ce995076fe70 Mon Sep 17 00:00:00 2001 From: JoeWang-Java Date: Tue, 21 May 2024 20:25:40 +0000 Subject: [PATCH 13/16] add a note to module-info --- src/java.xml/share/classes/module-info.java | 2 ++ 1 file changed, 2 insertions(+) diff --git a/src/java.xml/share/classes/module-info.java b/src/java.xml/share/classes/module-info.java index 3d4ef0bbb3bd7..3ab14c287cd75 100644 --- a/src/java.xml/share/classes/module-info.java +++ b/src/java.xml/share/classes/module-info.java @@ -446,6 +446,8 @@ * * * + * The configuration settings in these properties files are subject to change + * from release to release. * *

JDK built-in Catalog

* The JDK has a built-in catalog that hosts the following DTDs defined by the Java Platform: From 0de8ad6913565b91efb831176d21a5b100011032 Mon Sep 17 00:00:00 2001 From: JoeWang-Java Date: Fri, 24 May 2024 05:23:14 +0000 Subject: [PATCH 14/16] add a template instead of a property file; remove implNote; update test and make script accordingly. --- make/modules/java.xml/Copy.gmk | 5 +-- src/java.xml/share/classes/module-info.java | 35 +------------------ ...strict.properties => jaxp-strict.template} | 17 +++++---- .../common/config/ConfigFileTest.java | 24 ++++++++----- .../jaxp/unittest/common/util/TestBase.java | 5 +-- 5 files changed, 32 insertions(+), 54 deletions(-) rename src/java.xml/share/conf/{jaxp-strict.properties => jaxp-strict.template} (87%) diff --git a/make/modules/java.xml/Copy.gmk b/make/modules/java.xml/Copy.gmk index d2b768182ad75..e4af290c65c2a 100644 --- a/make/modules/java.xml/Copy.gmk +++ b/make/modules/java.xml/Copy.gmk @@ -28,11 +28,12 @@ include Modules.gmk ################################################################################ # -# Copy property files from share/conf to CONF_DST_DIR +# Copy property file and template from share/conf to CONF_DST_DIR # $(eval $(call SetupCopyFiles, COPY_XML_MODULE_CONF, \ DEST := $(CONF_DST_DIR), \ - FILES := $(wildcard $(TOPDIR)/src/java.xml/share/conf/jaxp*.properties*), \ + SRC := $(TOPDIR)/src/java.xml/share/conf, \ + FILES := jaxp.properties jaxp-strict.template, \ )) TARGETS += $(COPY_XML_MODULE_CONF) diff --git a/src/java.xml/share/classes/module-info.java b/src/java.xml/share/classes/module-info.java index 3ab14c287cd75..78ae956151906 100644 --- a/src/java.xml/share/classes/module-info.java +++ b/src/java.xml/share/classes/module-info.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 2014, 2024, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2014, 2023, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -402,13 +402,6 @@ * @implNote * *
    - *
  • JAXP Configuration Files - * - *
    • - *
  • JDK built-in Catalog * * - *

    JAXP Configuration Files

    - * The JDK provides two JAXP Configuration Files: - * - *
      - *
    • {@code jaxp.properties}: - * the default configuration that the JDK uses to set property values when XML - * factories are initiated.
      • - * - *
    • {@code jaxp-strict.properties}: a configuration that - * contains more restrictive settings than the default {@code jaxp.properties}. - * In particular: - * - * - * Deploying with this configuration prevents processors from unknowingly making - * outbound network connections to fetch DTDs, or processing XML that makes use of - * extension functions. - *
      • - *
    - * - * The configuration settings in these properties files are subject to change - * from release to release. - * *

    JDK built-in Catalog

    * The JDK has a built-in catalog that hosts the following DTDs defined by the Java Platform: *
      diff --git a/src/java.xml/share/conf/jaxp-strict.properties b/src/java.xml/share/conf/jaxp-strict.template similarity index 87% rename from src/java.xml/share/conf/jaxp-strict.properties rename to src/java.xml/share/conf/jaxp-strict.template index cdc808cd3e289..6087a845b49ce 100644 --- a/src/java.xml/share/conf/jaxp-strict.properties +++ b/src/java.xml/share/conf/jaxp-strict.template @@ -1,18 +1,23 @@ ################################################################################ -# JAXP Strict Configuration File +# JAXP Strict Configuration Template # -# This property file, jaxp-strict.properties, represents a more secure configuration -# for XML processing. It provides settings that are more restrictive than the -# current default jaxp.properties. In particular: +# This file, jaxp-strict.template, provides a template for creating custom +# configuration files. The settings in this file are more restrictive than those +# in the default configuration, jaxp.properties. In particular: # - JDKCatalog Resolve is on "strict" setting # - Extension Functions are disabled # - JAXP Limits are set to smaller numbers # -# This configuration file can be set up using the system property +# To create a configuration file, copy the template to a new file with +# the .properties extension, that is: +# +# cp $JAVA_HOME/conf/jaxp-strict.template /path/to/jaxp-strict.properties +# +# The configuration file can then be set up using the system property # java.xml.config.file to override the default configuration jaxp.properties # and used to assess the impact of a stricter configuration, for example: # -# java -Djava.xml.config.file=$JAVA_HOME/conf/jaxp-strict.properties +# java -Djava.xml.config.file=/path/to/jaxp-strict.properties # # The system property java.xml.config.file is defined in the java.xml module # description. diff --git a/test/jaxp/javax/xml/jaxp/unittest/common/config/ConfigFileTest.java b/test/jaxp/javax/xml/jaxp/unittest/common/config/ConfigFileTest.java index f17fd78257903..66a320a14e5d1 100644 --- a/test/jaxp/javax/xml/jaxp/unittest/common/config/ConfigFileTest.java +++ b/test/jaxp/javax/xml/jaxp/unittest/common/config/ConfigFileTest.java @@ -25,6 +25,10 @@ import common.util.TestBase; import static common.util.TestBase.CONFIG_DEFAULT; import static common.util.TestBase.CONFIG_STRICT; +import static common.util.TestBase.CONFIG_TEMPLATE_STRICT; +import java.nio.file.Files; +import java.nio.file.Path; +import java.nio.file.Paths; import java.util.stream.IntStream; import javax.xml.transform.TransformerFactory; @@ -33,13 +37,15 @@ * @library /javax/xml/jaxp/libs /javax/xml/jaxp/unittest * @modules java.xml/jdk.xml.internal * @run driver common.config.ConfigFileTest 0 // verifies jaxp.properties - * @run driver common.config.ConfigFileTest 1 // verifies jaxp-strict.properties - * @summary verifies the JAXP configuration files jaxp.properties and - * jaxp-strict.properties. + * @run driver common.config.ConfigFileTest 1 // verifies jaxp-strict.template + * @summary verifies the default JAXP configuration file jaxp.properties and + * strict template jaxp-strict.template. */ public class ConfigFileTest { // system property for custom configuration file static final String SP_CONFIG = "java.xml.config.file"; + // target directory + static String TEST_DIR = System.getProperty("test.classes"); // properties in the configuration file String[] keys = { @@ -64,7 +70,7 @@ public class ConfigFileTest { boolean[] propertyIsFeature ={true, true, false, false, false, false, false, false, false, false, false, false, false, false, false, false}; - // values from jaxp-strict.properties + // values from jaxp-strict.template String[] strictValues ={"false", "false", "strict", "allow", "2500", "100000", "100000", "15000", "100000", "10000", "5000", "0", "1000", "10", "100", "10000"}; @@ -77,10 +83,13 @@ public static void main(String args[]) throws Exception { } public void run(String index) throws Exception { + String conf = System.getProperty("java.home") + "/conf/"; if (index.equals("0")) { - verifyConfig(CONFIG_DEFAULT, defaultValues); + verifyConfig(conf + CONFIG_DEFAULT, defaultValues); } else { - verifyConfig(CONFIG_STRICT, strictValues); + Path config = Paths.get(TEST_DIR, CONFIG_STRICT); + Files.copy(Paths.get(conf, CONFIG_TEMPLATE_STRICT), config); + verifyConfig(config.toString(), strictValues); } } @@ -90,8 +99,7 @@ public void run(String index) throws Exception { * @param values expected values in the configuration file */ private void verifyConfig(String filename, String[] values) { - String javaHome = System.getProperty("java.home"); - System.setProperty(SP_CONFIG, javaHome + "/conf/" + filename); + System.setProperty(SP_CONFIG, filename); TransformerFactory tf = TransformerFactory.newInstance(); IntStream.range(0, keys.length).forEach(i -> { diff --git a/test/jaxp/javax/xml/jaxp/unittest/common/util/TestBase.java b/test/jaxp/javax/xml/jaxp/unittest/common/util/TestBase.java index 6be013d73181c..73b0fe065189f 100644 --- a/test/jaxp/javax/xml/jaxp/unittest/common/util/TestBase.java +++ b/test/jaxp/javax/xml/jaxp/unittest/common/util/TestBase.java @@ -125,7 +125,7 @@ public class TestBase { // JAXP Configuration Files to be added to $JAVA_HOME/conf/ public static final String CONFIG_DEFAULT = "jaxp.properties"; public static final String CONFIG_STRICT = "jaxp-strict.properties"; - public static final String CONFIG_COMPAT = "jaxp-compat.properties"; + public static final String CONFIG_TEMPLATE_STRICT = "jaxp-strict.template"; public static final String UNKNOWN_HOST = "invalid.site.com"; @@ -139,9 +139,6 @@ public static enum Properties { // config file: CATALOG = strict CONFIG_FILE_CATALOG_STRICT(null, CONFIG_FILE, Type.FEATURE, getPath(CONFIG_FILE_PATH, CONFIG_CATALOG_STRICT)), CONFIG_FILE_DTD2(null, CONFIG_FILE, Type.FEATURE, getPath(CONFIG_FILE_PATH, JCF_DTD2)), - // JAXP Configuration Files to be added to $JAVA_HOME/conf/ - CONFIG_FILE_STRICT(null, CONFIG_FILE, Type.FEATURE, getPath(CONFIG_FILE_PATH, CONFIG_STRICT)), - CONFIG_FILE_COMPAT(null, CONFIG_FILE, Type.FEATURE, getPath(CONFIG_FILE_PATH, CONFIG_COMPAT)), FSP(XMLConstants.FEATURE_SECURE_PROCESSING, null, Type.FEATURE, "true"), FSP_FALSE(XMLConstants.FEATURE_SECURE_PROCESSING, null, Type.FEATURE, "false"), From 714095d1fa542d8d012d500ced0032531aa9e3ef Mon Sep 17 00:00:00 2001 From: JoeWang-Java Date: Fri, 24 May 2024 16:31:44 +0000 Subject: [PATCH 15/16] rename the template to jaxp-strict.properties.template --- make/modules/java.xml/Copy.gmk | 4 ++-- ...xp-strict.template => jaxp-strict.properties.template} | 8 ++++---- .../xml/jaxp/unittest/common/config/ConfigFileTest.java | 6 +++--- .../javax/xml/jaxp/unittest/common/util/TestBase.java | 2 +- 4 files changed, 10 insertions(+), 10 deletions(-) rename src/java.xml/share/conf/{jaxp-strict.template => jaxp-strict.properties.template} (93%) diff --git a/make/modules/java.xml/Copy.gmk b/make/modules/java.xml/Copy.gmk index e4af290c65c2a..f242cb2ac7611 100644 --- a/make/modules/java.xml/Copy.gmk +++ b/make/modules/java.xml/Copy.gmk @@ -28,12 +28,12 @@ include Modules.gmk ################################################################################ # -# Copy property file and template from share/conf to CONF_DST_DIR +# Copy property and template files from share/conf to CONF_DST_DIR # $(eval $(call SetupCopyFiles, COPY_XML_MODULE_CONF, \ DEST := $(CONF_DST_DIR), \ SRC := $(TOPDIR)/src/java.xml/share/conf, \ - FILES := jaxp.properties jaxp-strict.template, \ + FILES := jaxp.properties jaxp-strict.properties.template, \ )) TARGETS += $(COPY_XML_MODULE_CONF) diff --git a/src/java.xml/share/conf/jaxp-strict.template b/src/java.xml/share/conf/jaxp-strict.properties.template similarity index 93% rename from src/java.xml/share/conf/jaxp-strict.template rename to src/java.xml/share/conf/jaxp-strict.properties.template index 6087a845b49ce..41d486c27db97 100644 --- a/src/java.xml/share/conf/jaxp-strict.template +++ b/src/java.xml/share/conf/jaxp-strict.properties.template @@ -1,9 +1,9 @@ ################################################################################ # JAXP Strict Configuration Template # -# This file, jaxp-strict.template, provides a template for creating custom -# configuration files. The settings in this file are more restrictive than those -# in the default configuration, jaxp.properties. In particular: +# This file, jaxp-strict.properties.template, provides a template for creating +# custom configuration files. The settings in this file are more restrictive than +# those in the default configuration, jaxp.properties. In particular: # - JDKCatalog Resolve is on "strict" setting # - Extension Functions are disabled # - JAXP Limits are set to smaller numbers @@ -11,7 +11,7 @@ # To create a configuration file, copy the template to a new file with # the .properties extension, that is: # -# cp $JAVA_HOME/conf/jaxp-strict.template /path/to/jaxp-strict.properties +# cp $JAVA_HOME/conf/jaxp-strict.properties.template /path/to/jaxp-strict.properties # # The configuration file can then be set up using the system property # java.xml.config.file to override the default configuration jaxp.properties diff --git a/test/jaxp/javax/xml/jaxp/unittest/common/config/ConfigFileTest.java b/test/jaxp/javax/xml/jaxp/unittest/common/config/ConfigFileTest.java index 66a320a14e5d1..308587aa842c7 100644 --- a/test/jaxp/javax/xml/jaxp/unittest/common/config/ConfigFileTest.java +++ b/test/jaxp/javax/xml/jaxp/unittest/common/config/ConfigFileTest.java @@ -37,9 +37,9 @@ * @library /javax/xml/jaxp/libs /javax/xml/jaxp/unittest * @modules java.xml/jdk.xml.internal * @run driver common.config.ConfigFileTest 0 // verifies jaxp.properties - * @run driver common.config.ConfigFileTest 1 // verifies jaxp-strict.template + * @run driver common.config.ConfigFileTest 1 // verifies jaxp-strict.properties.template * @summary verifies the default JAXP configuration file jaxp.properties and - * strict template jaxp-strict.template. + * strict template jaxp-strict.properties.template. */ public class ConfigFileTest { // system property for custom configuration file @@ -70,7 +70,7 @@ public class ConfigFileTest { boolean[] propertyIsFeature ={true, true, false, false, false, false, false, false, false, false, false, false, false, false, false, false}; - // values from jaxp-strict.template + // values from jaxp-strict.properties.template String[] strictValues ={"false", "false", "strict", "allow", "2500", "100000", "100000", "15000", "100000", "10000", "5000", "0", "1000", "10", "100", "10000"}; diff --git a/test/jaxp/javax/xml/jaxp/unittest/common/util/TestBase.java b/test/jaxp/javax/xml/jaxp/unittest/common/util/TestBase.java index 73b0fe065189f..77672609147f6 100644 --- a/test/jaxp/javax/xml/jaxp/unittest/common/util/TestBase.java +++ b/test/jaxp/javax/xml/jaxp/unittest/common/util/TestBase.java @@ -125,7 +125,7 @@ public class TestBase { // JAXP Configuration Files to be added to $JAVA_HOME/conf/ public static final String CONFIG_DEFAULT = "jaxp.properties"; public static final String CONFIG_STRICT = "jaxp-strict.properties"; - public static final String CONFIG_TEMPLATE_STRICT = "jaxp-strict.template"; + public static final String CONFIG_TEMPLATE_STRICT = "jaxp-strict.properties.template"; public static final String UNKNOWN_HOST = "invalid.site.com"; From abc1e88b3a9572d20f95a0dadfb29bd58d77887f Mon Sep 17 00:00:00 2001 From: JoeWang-Java Date: Tue, 28 May 2024 16:22:16 +0000 Subject: [PATCH 16/16] update properties files with wording suggestions; move summary to after the test tag --- .../share/conf/jaxp-strict.properties.template | 16 ++++++++-------- src/java.xml/share/conf/jaxp.properties | 18 +++++++++--------- .../unittest/common/config/ConfigFileTest.java | 4 ++-- 3 files changed, 19 insertions(+), 19 deletions(-) diff --git a/src/java.xml/share/conf/jaxp-strict.properties.template b/src/java.xml/share/conf/jaxp-strict.properties.template index 41d486c27db97..2d6cbc951e20e 100644 --- a/src/java.xml/share/conf/jaxp-strict.properties.template +++ b/src/java.xml/share/conf/jaxp-strict.properties.template @@ -33,15 +33,15 @@ # # This property determines whether XSLT and XPath extension functions are allowed. # The value type is boolean and the default value is true (allowing -# extension functions). The following entry would override the default value and -# disallow extension functions: +# extension functions). The following entry overrides the default value and +# disallows extension functions: # jdk.xml.enableExtensionFunctions=false # # # Overriding the default parser: # -# This property allows using a third party implementation to override the default +# This property allows a third party implementation to override the default # parser provided by the JDK. The value type is boolean and the default value is # false, disallowing overriding the default parser. The setting below reflects # the default property setting: @@ -57,15 +57,15 @@ jdk.xml.overrideDefaultParser=false # ignore -- indicates that the reference is skipped # strict -- indicates that the resolver should throw a CatalogException # -# The following setting would cause the resolve to throw a CatalogException when -# external references are not resolved by a user-defined resolver or catalog, -# or the JDKCatalog: +# The following setting causes the default CatalogResolver to throw a CatalogException +# when external references are not resolved by a user-defined resolver or catalog, +# or the built-in Catalog: jdk.xml.jdkcatalog.resolve=strict # # Implementation Specific Properties - DTD # -# This property instructs the parsers to: deny, ignore or allow DTD processing. -# The following setting would cause the parser to reject DTD by throwing an exception. +# This property instructs the parsers to deny, ignore or allow DTD processing. +# The following setting causes the parser to reject DTDs by throwing an exception. # jdk.xml.dtd.support=deny # # The following setting permits the processor to continue processing DTDs. Note diff --git a/src/java.xml/share/conf/jaxp.properties b/src/java.xml/share/conf/jaxp.properties index 1baead2e6830a..53835f637438a 100644 --- a/src/java.xml/share/conf/jaxp.properties +++ b/src/java.xml/share/conf/jaxp.properties @@ -31,7 +31,7 @@ # # The format of an entry is key=value where the key is the fully qualified name # of the factory and value that of the implementation class. The following entry -# set a DocumentBuilderFactory implementation class: +# sets a DocumentBuilderFactory implementation class: # # javax.xml.parsers.DocumentBuilderFactory=com.sun.org.apache.xerces.internal.jaxp.DocumentBuilderFactoryImpl # @@ -49,7 +49,7 @@ # # For example, the RESOLVE property in CatalogFeatures has an associated system # property called javax.xml.catalog.resolve. An entry for the RESOLVE property in the -# configuration file would therefore use javax.xml.catalog.resolve as the key, that +# configuration file therefore uses javax.xml.catalog.resolve as the key, that # is: # javax.xml.catalog.resolve=strict # @@ -58,15 +58,15 @@ # # This property determines whether XSLT and XPath extension functions are allowed. # The value type is boolean and the default value is true (allowing -# extension functions). The following entry would override the default value and -# disallow extension functions: +# extension functions). The following entry overrides the default value and +# disallows extension functions: # # jdk.xml.enableExtensionFunctions=false # # # Overriding the default parser: # -# This property allows using a third party implementation to override the default +# This property allows a third party implementation to override the default # parser provided by the JDK. The value type is boolean and the default value is # false, disallowing overriding the default parser. The setting below reflects # the default property setting: @@ -137,15 +137,15 @@ jdk.xml.overrideDefaultParser=false # ignore -- indicates that the reference is skipped # strict -- indicates that the resolver should throw a CatalogException # -# The following setting would allow the resolution to continue in cases where +# The following setting allows the resolution to continue in cases where # external references are not resolved by a user-defined resolver or catalog if -# any, and the JDKCatalog: +# any, and the built-in Catalog: jdk.xml.jdkcatalog.resolve=continue # # Implementation Specific Properties - DTD # -# This property instructs the parsers to: deny, ignore or allow DTD processing. -# The following setting would cause the parser to reject DTD by throwing an exception. +# This property instructs the parsers to deny, ignore or allow DTD processing. +# The following setting causes the parser to reject DTDs by throwing an exception. # jdk.xml.dtd.support=deny # # The following setting permits the processor to continue processing DTDs diff --git a/test/jaxp/javax/xml/jaxp/unittest/common/config/ConfigFileTest.java b/test/jaxp/javax/xml/jaxp/unittest/common/config/ConfigFileTest.java index 308587aa842c7..fd5b8b36fa36b 100644 --- a/test/jaxp/javax/xml/jaxp/unittest/common/config/ConfigFileTest.java +++ b/test/jaxp/javax/xml/jaxp/unittest/common/config/ConfigFileTest.java @@ -34,12 +34,12 @@ /** * @test @bug 8330542 + * @summary verifies the default JAXP configuration file jaxp.properties and + * strict template jaxp-strict.properties.template. * @library /javax/xml/jaxp/libs /javax/xml/jaxp/unittest * @modules java.xml/jdk.xml.internal * @run driver common.config.ConfigFileTest 0 // verifies jaxp.properties * @run driver common.config.ConfigFileTest 1 // verifies jaxp-strict.properties.template - * @summary verifies the default JAXP configuration file jaxp.properties and - * strict template jaxp-strict.properties.template. */ public class ConfigFileTest { // system property for custom configuration file